How to test Aviatrix Transit VPC for AWS — without requiring a connection to your data center?

How-To Guide

15 minute read

This note describes how to set up and test the Aviatrix Next-Generation Transit Solution in AWS without having to make connections into your datacenter. You will create a VPC that emulates a datacenter. For introductory details on transit solution, please refer to: https://aws.amazon.com/answers/networking/aws-global-transit-network/

With this approach, you will be creating 3 VPCs, the first of which will emulate the datacenter. The second and third VPCs will be the transit and spoke VPCs. The end goal is to test transit connectivity from Spoke VPC to the “Datacenter VPC” as illustrated in this diagram:

Steps:

1. Create 3 VPCs in your AWS Account:

DC-Emulate (plays the role of your on-premise/datacenter environment)

Transit-VPC

Spoke-VPC

Note: Make sure each of these VPCs have at least one Subnet attached to an IGW.

2. Create a VGW in the same region as the Transit-VPC and attach it to the Transit-VPC (VGW needs to be attached temporarily for testing)

3. Create one test instance (amazon Linux) in each of the three VPCs. These instances will need SSH access to test connectivity. Also, open the ICMP port on these instances from 0.0.0.0/0 to be able to perform ping tests.

4. Log-in to the Aviatrix Controller and create a Gateway in the DC-Emulate VPC. This Gateway plays the role of you Datacenter IPsec Device. Note the Public IP address (EIP) of this Gateway.

5. Create an IPsec tunnel from the DC-VPC’s Gateway to the VGW attached to the Transit. To do this, create a CGW. Make sure you select static option and enter the EIP of the DC-Emulate Gateway.

6. Create a VPN Connection in the AWS console.

Pick the VGW and CGW you just created.

Select Static and enter the CIDR of the DC-Emulate VPC in the Static IP prefix textbox.

Leave Tunnel Options Blank.

Click Create.

7. Select the VPN Connection you just created and click Download Configuration. Select “Generic” vendor and click Download.

8. Open the Downloaded File. Note the IPSec configuration parameters.

9. Switch to the Aviatrix controller and create a Site2Cloud Connection. Select the parameters according to the configuration file. For the Remote CIDRs, enter the transit and spoke CIDRs (comma separated).

10. The VPN Connection in the AWS Console and the Aviatrix Console show as “Up” in a few seconds:

11. To test connectivity across this tunnel, add a route in the Transit-VPC’s route table:

DC-Emulate CIDR -> VGW

12. Now test connectivity between the test instances in the DC-emulate and Transit-VPCs. (hint: Open ICMP in the instance Security Groups).

13. Once you have tested connectivity:

Detach the VGW from the Transit-VPC. This will keep the VPN Connection still active.

Delete the manual route entry you made in the transit VPC step above.

In the next steps, we are going to connect the Transit-VPC to this VGW using an Aviatrix Tunnel and create a transit connection to the Spoke-VPC:

14. Switch to the Aviatrix controller and go to the Transit Network navigation tab.